Yeah 99% of the time things will be fine, but if that 1% of the time somebody loses like 500,000$ because nobody warned him. Who's fault will that be?
It'll be yours if they follow your advice and end up in a worse situation, that's why I'm being so adamant about this.
You're not "overblowing" the problems, you're completely mis-stating the threat, the attack surface and the proper solution.
You don't comprehend the threat, it's nature, or it's applicability. You don't seem to understand that this is not an exploitable vulnerability in the general sense. You would have to have downloaded apt from an untrusted source, and then you would have needed to download a compromised package and that package would need to drop malware and get it to run. This isn't likely at all. In fact I'm going to go out on a limb here and say there is a 0% chance this has happened to any one at all, ever since https and app signing were introduced.
Again this isn't windows, we don't just install random crap from random sources via apt. There are other checks in place and you can trust these checks, because lots and lots of people are watching for exactly this sort of shenanigans.
It and your proposed solution leaves the system in an unpatched state where there are known exploits. It doesn't fix it, it makes it worse.
Here is a list of 72 known exploits your "fix" re-introduces.
https://www.ubuntu.com/usn/
You'll notice that the exploit you're concerned about is still on that list. So your solution doesn't fix the problem it just adds 71 more in addition to the heavy work of re-establishing the system configuration after an FFR. Which in the case of some computers requires manually editing config files just to get the internet functional, raid drivers running and don't get me started on 3D graphics.
But if APT is compromized, then the game is over, any malware can reside on your PC. And you cannot trust any hash from that PC, since there exist malwares that could modify it. This is the biggest type of risk there is, when the updater itself could be compromized.
This isn't windows. APT is pulling from https URLs. The URLs are all well known as is their complete contents including the hashes of the files hosted there. There isn't a "broken APT" circulating in the wild. There is no package in any repo that had this bad sig issue. There isn't malware in any of the official repositories. They all pass independent signature verification. Independent, as in a lot of people and systems are checking these things every single time we update our systems. With more than just apt and more than just one hash algo.
So yes I'm going to be a bit dramatic here. You're giving bad advice. I mean it, this is genuine bad advice. You either didn't read the CVE, or you completely misunderstood it. But your advice weakens systems that BTW have very likely already patched against this with no ill effects.
I am not sure I follow you. What are you talking about here?
I have said in my article that if the solution is fixed, only then download he latest release. I was also implying but forgot to say that the latest "stable" release should be downloaded, if that is a more accurate explanation, i will edit it in the article.
Other than that how is it actually more risky to update than to leave the current flawed version on the PC?
Just for the record , I am not using Ubuntu. I was referring to Debian mostly.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
The "latest release" is an iso file that was cut months ago. For 16.04 LTS that would mean rolling all the way back to April. For 16.10 it's only since October, but that's still a ton of vulnerabilities to reintroduce into your system.
It's not like there's a daily snapshot you can grab, unless you're living dangerously and going onto one of the dev branches.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
And you know, this guy's "fix" would also re-introduce the flawed apt package, which likely would already have been fixed. I don't understand why this guy has such a hard time understanding why he's wrong.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Well then just update the system manually. Get the latest apt package updated first, and then download the rest of the updates.
It's bad if the new releases come out monthly, people need rely heavily on the updater then.
You can always just use a RPM based distro until a new ISO image comes out for debian OS's for example.
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit